ArulkumarPonnusamy
commented
1 year ago Anyone plz help
Closed ArulkumarPonnusamy closed 1 year ago
ArulkumarPonnusamy
commented
1 year ago Anyone plz help
dndx
commented
1 year ago Hello,
I think you are right that the Digest header only contains the SHA-256 value of the request body itself, not the secret. Because the Digest header will be signed along with other headers using the secret and the signature will be in the Authorization header, which already includes the value of the additional Digest header.
The hash inside Digest is the hash value in binary and then base64 encoded. Not base64 of the hexadecimal value of the binary!
stale[bot]
commented
1 year ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Is there an existing issue for this?
Kong version (
$ kong version)3.0
Current Behavior
hmac dijest validation is not working
Expected Behavior
I am generating the diject string using body content with secret. Then i am passing the dijest value in header as "HMAC-256=dijeststring"
Steps To Reproduce
No response
Anything else?
local digest = sha256:new() digest:update(body or '') local digest_created = "SHA-256=" .. encode_base64(digest:final()) return digest_created == digest_received
I didnt understand the above code-- are we not using secret to create digest string. ? Also what is "SHA-256=" .. encode_base64(digest:final()). are we concatenating static string to base64 value of digest?